Hello everyone,
Maybe someone can help me understand. I create new AD LDS instance using adaminstall wizard and specify group D1 as a group that have administrative privileges for the instance.
After that I connect to my new instance using ldp.exe and bind as user userd1 that is a member of D1 group. Here I need to say that userd1 has no special rights on the local machine where I created AD LDS instance, it's just an ordinary domain user.
Now I try to update owner information (e.g. right click on CN=Configuration -> Advanced -> Security Descriptor -> just mark Update: Owner check box and click Update) of any object in the directory and get the following error in return:
ldap_modify_ext_s(ld, 'CN=Configuration,CN={C47F44A6-81EA-40EC-A228-E08714402D1C}', attrs, SvrCtrls, ClntCtrls);
Error: Modify: Constraint Violation. <19>
Server error: 0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
Error 0x51B This security ID may not be assigned as the owner of this object.
After some trial and error, I found out that if I give userd1 SeRestorePrivilege privilege (or just add the user to Local Administrators group) on the local machine then I can successfully update owner information of any object in the directory.
Therefore, my questions are:
1) Why does userd1 have to have any additional rights on the local machine in order to change owner information of objects in the AD LDS directory. Why is it not enough to be a member of administrators group of that AD LDS instance? Administrators have full control of objects in directory including WRITE_OWNER right.
2) Is there a way to be able to update owner information and not adding user to Local Admins group or giving him "Restore files or directories" privilege on the local machine?